Unsecured XML parsers can permit an attacker to probe your file system
for sensitive information. If your site accepts XML in any fashion, you
need to ensure your parser is correctly configured.

Risks

Prevalence

Rare

Exploitability

Difficult

Impact

Devastating

XML External Entity attacks allow a malicious user to
read arbitrary files on your server. Getting access to the server’s file
system is often the first step an attacker will take when compromising
your system. Unless you deploy a intrusion detection system,
you will often not know it is occurring until it’s too late.

Even big companies like Facebook
have suffered from this vulnerability in the past.